By default, Invicti does not scan domains that are different from those of the Target URL. Therefore, when you scan http://example.com, if there is a link to http://api.example.com, Invicti will not follow and scan the website or links to http://api.example.com. Instead, it reports them as Out of Scope Links in the Knowledge Base Viewer.
In both Invicti Enterprise and Invicti Standard, you can use the Additional Websites feature to specify which other websites you want to scan.
Additional Websites Fields
This table lists and describes the fields in the Additional Websites tab.
Click to add additional URLs. Two additional fields are displayed.
This is the URL of the additional website.
Enable to scan canonical URLs to prevent scanning duplicate pages. If this option is enabled, when the Invicti scanner detects a link to a canonical domain, such as http://www.example.com/blogs/foo-bar, it will be converted to http://example.com/blogs/foo-bar and scanned via this URL.
How to Configure Additional Websites in Invicti Enterprise
- Log in to Invicti Enterprise.
- From the main menu, select Scans > New Scan.
- On the New Scan page, select Additional Websites.
- Select New.
- In the URL field, enter the additional website.
- Enable Canonical, if required.
- Add as many Additional Websites as required.
- Select Launch.
Please note that you can only add websites that are allowed by your license.
How to Configure Additional Websites in Invicti Standard
- Open Invicti Standard.
- From the Home tab, click New. The Start a New Website or New Service Scan dialog is displayed.
- From the Scan Settings section, select Additional Websites.
- In the URL field, enter the additional website (including its protocol and port if the target is running on a non-default port), such as http://api.example.com and http://docs.example.com:8043.
- Enable Canonical, if required (if, for example, http://example.com and http://www.example.com point to the same website). When this option is enabled, when the Invicti scanner detects a link to canonical domain such as http://www.example.com/blogs/foo-bar, it will be converted to http://example.com/blogs/foo-bar and scanned via this URL.
- Click Start Scan.
The Invicti scanner treats canonical links as target website's links and applies the same scan settings.
The Scan Profile and Settings Used for the Additional Websites
For more information about configuring and managing Scan Profiles in Invicti Enterprise and Invicti Standard, see Overview of Scan Profiles.
Setting the Scan Scope
The configured Scan Scope settings do not apply for the Additional Websites unless the Canonical option is enabled. Instead, the Whole Domain scan scope will always apply. This means that all of the detected pages and subfolders on the additional website will be scanned.
Including and Excluding URLs
The configured Include/Exclude URLs apply for Additional Websites too. So, if an additional website's links contains exit or endsession keywords, they will be excluded from the scan.
For further information about importing links, see Importing links and API definitions.
The URL rewrite configuration also applies for Additional Websites. If the Heuristic URL rewrite technology is used, the scanner will try to automatically identify the URL Rewrites on the target website. If custom URL Rewrite rules are configured, they will also apply to Additional Websites as well.
Therefore if an Additional Website contains a link that matches the pattern configured above, for example http://api.example.com/products/1, the URL Rewrite parameter(s) will be detected automatically.
For further information, see URL Rewrites.
It is not possible to configure authentication settings for Additional Websites via the scan settings.
For further information, see Configuring Form Authentication in Invicti Enterprise.
Reporting Scan Activity and Issues Identified in Additional Websites
The configured Additional Websites will have a node each in the Site Map window, as illustrated.
During a scan, in the scan dashboard the full URLs are shown in the activity panel, and the URLs are sorted in alphabetical order.
A new entry was also added to the reports, in which all the configured additional websites that were scanned will be listed.
The URLs in the reports are reported in full, so that you can see which contains the issue.